Berto Jongman: Google Evil – Exploits All Wi-Fi Passwords

If an Android device (phone or tablet) has ever logged on to a particular Wi-Fi network, then Google probably knows the Wi-Fi password. Considering how many Android devices there are, it is likely that Google can access most Wi-Fi passwords worldwide.

Recently IDC reported that 187 million Android phones were shipped in the second quarter of this year. That multiplies out to 748 million phones in 2013, a figure that does not include Android tablets.

Many (probably most) of these Android phones and tablets are phoning home to Google, backing up Wi-Fi passwords along with other assorted settings. And, although they have never said so directly, it is obvious that Google can read the passwords.

Full article with many links below the line.

Sounds like a James Bond movie.

Android devices have defaulted to coughing up Wi-Fi passwords since version 2.2. And, since the feature is presented as a good thing, most people wouldn’t change it. I suspect that many Android users have never even seen the configuration option controlling this. After all, there are dozens and dozens of system settings to configure.

And, anyone who does run across the setting can not hope to understand the privacy implication. I certainly did not.

Specifically:

In Android 2.3.4, go to Settings, then Privacy. On an HTC device, the option that gives Google your Wi-Fi password is “Back up my settings”. On a Samsung device, the option is called “Back up my data”. The only description is “Back up current settings and application data”. No mention is made of Wi-Fi passwords.

In Android 4.2, go to Settings, then “Backup and reset”. The option is called “Back up my data”. The description says “Back up application data, Wi-Fi passwords, and other settings to Google servers”.

Needless to say “settings” and “application data” are vague terms. A longer explanation of this backup feature in Android 2.3.4 can be found in the Users Guide on page 374:

Check to back up some of your personal data to Google servers, with your Google Account. If you replace your phone, you can restore the data you’ve backed up, the first time you sign in with your Google Account. If you check this option, a wide variety of you personal data is backed up, including your Wi-Fi passwords, Browser bookmarks, a list of the applications you’ve installed, the words you’ve added to the dictionary used by the onscreen keyboard, and most of the settings that you configure with the Settings application. Some third-party applications may also take advantage of this feature, so you can restore your data if you reinstall an application. If you uncheck this option, you stop backing up your data to your account, and any existing backups are deleted from Google servers.

If you check this option, a wide variety of your personal data is backed up automatically, including your Wi-Fi passwords, Browser bookmarks, a list of the apps you’ve installed from the Market app, the words you’ve added to the dictionary used by the onscreen keyboard, and most of your customized settings. Some third-party apps may also take advantage of this feature, so you can restore your data if you reinstall an app. If you uncheck this option, your data stops getting backed up, and any existing backups are deleted from Google servers.

Sounds great. Backing up your data/settings makes moving to a new Android device much easier. It lets Google configure your new Android device very much like your old one.

What is not said, is that Google can read the Wi-Fi passwords.

And, if you are reading this and thinking about one Wi-Fi network, be aware that Android devices remember the passwords to every Wi-Fi network they have logged on to. The Register writes

The list of Wi-Fi networks and passwords stored on a device is likely to extend far beyond a user’s home, and include hotels, shops, libraries, friends’ houses, offices and all manner of other places. Adding this information to the extensive maps of Wi-Fi access points built up over years by Google and others, and suddenly fandroids face a greater risk to their privacy if this data is scrutinised by outside agents.

The good news is that Android owners can opt out just by turning off the checkbox.

The bad news is that, like any American company, Google can be compelled by agencies of the U.S. government to silently spill the beans.

When it comes to Wi-Fi, the NSA, CIA and FBI may not need hackers and cryptographers. They may not need to exploit WPS or UPnP. If Android devices are offering up your secrets, WPA2 encryption and a long random password offer no protection.

I doubt that Google wants to rat out their own customers. They may simply have no choice. What large public American company would? Just yesterday, Marissa Mayer, the CEO of Yahoo, said executives faced jail if they revealed government secrets. Lavabit felt there was a choice, but it was a single person operation.

In fact, Green’s experiment is pretty much the same one that shows that Google can read Wi-Fi passwords. He describes it:

First, lose your iPhone. Now change your password using Apple’s iForgot service … Now go to an Apple store and shell out a fortune buying a new phone. If you can recover your recent iMessages onto a new iPhone — as I was able to do in an Apple store this afternoon — then Apple isn’t protecting your iMessages with your password or with a device key. Too bad.

Similarly, a brand new Android device can connect to Wi-Fi hotspots it is seeing for the very first time.

I purchased the machine late last night after work. I brought it home, set it up to charge overnight, and went to bed. This morning when I woke I put it in my bag and brought it to the office with me. I set up my Google account on the device, and then realized I had no network connection … I pulled out my Virgin Mobile Mi-Fi 2200 personal hotspot and turned it on. I searched around Honeycomb looking for the control panel to select the hotspot and enter the encryption key. To my surprise, I found that the Eee Pad had already found the Virgin hotspot, and successfully attached to it … As I looked further into this puzzling situation, I noticed that not only was my Virgin Hotspot discovered and attached, but a list of other hotspots … were also listed in the Eee Pad’s hotspot list. The only conclusion that one can draw from this is obvious – Google is storing not only a list of what hotspots you have visited, but any private encryption keys necessary to connect to those hotspots …

When you format an Android phone and set it up on first run, after you login to your Google account and restore your backup, it immediately connects to wifi using a saved password. There’s no sort of password hash that your Android phone could send your router to authenticate besides the password itself.

Google stores the passwords in a manner such that they can decrypt them, given only a Gmail address and password.

Our optional ‘Backup my data’ feature makes it easier to switch to a new Android device by using your Google Account and password to restore some of your previous settings. This helps you avoid the hassle of setting up a new device from scratch. At any point, you can disable this feature, which will cause data to be erased. This data is encrypted in transit, accessible only when the user has an authenticated connection to Google and stored at Google data centers, which have strong protections against digital and physical attacks.

Sean Gallagher, who wrote the Ars article, added “The spokesperson could not speak to how … the data was secured at rest.”

… it’s great the backup/restore feature is optional. It’s great that if you turn it off Google will delete your data. It’s great that the data is encrypted in transit between the Android device and Google’s servers, so that eavesdroppers can’t pull your backup data off the wire. And it’s great they they have strong security, both digital and physical, at their data centers. However, Google’s statement doesn’t mention whether or not Google itself has access to the plaintext backup data (it does)… [The issue is] Not how easy it is for an attacker to get at this data, but how easy it is for an authorized Google employee to get at it as part of their job. This is important because if Google has access to this plaintext data, they can be compelled to give it to the US government.

Google danced around the issue of whether they can read the passwords because they don’t want people like me writing blogs like this. Maybe this is why Apple, so often, says nothing.

Eventually Lee filed an official Android feature request, asking Google to offer backups that are stored in such a way that only the end user (you and I) can access the data. The request was filed about two months ago and has been ignored by Google.

I am not revealing anything new here. All this has been out in the public before. Below is a partial list of previous articles.

However, this story has, on the whole, flown under the radar. Most tech outlets didn’t cover it (Ars Technica and The Register being exceptions) for reasons that escape me.

… my corporate office has a public, protected wireless access point. The idea that every Android device that connects with that access point shares our private corporate access key with Google is pretty unacceptable … This isn’t just a trivial concern. The fact that my company can easily lose control of their own proprietary WPA2 encryption keys just by allowing a user with an Android device to use our wireless network is significant. It illustrates a basic lack of understanding on the ethics of dealing with sensitive corporate and personal data on the behalf of the engineers, programmers and leadership at Google. Honestly, if there is any data that shouldn’t be harvested, stored and synched automatically between devices, it is encryption keys, passcodes and passwords.

Tests … at heise Security showed that after resetting an Android phone to factory settings and then synchronising with a Google account, the device was immediately able to connect to a heise test network secured using WPA2. Anyone with access to a Google account therefore has access to its Wi-Fi passwords. Given that Google maintains a database of Wi-Fi networks throughout the world for positioning purposes, this is a cause for concern in itself, as the backup means that it also has the passwords for these networks. In view of Google’s generosity in sharing data with the NSA, this now looks even more troubling … European companies are unlikely to be keen on the idea of this backup service, activated by default, allowing US secret services to access their networks with little effort.

… the data is encrypted in transit, and Google (for all we know) probably stores it encrypted at the other end. But it’s not encrypted in the sense of being inaccessible to anyone except you … Google can unilaterally recover the plaintext of your Wi-Fi passwords, precisely so it can return those passwords to you quickly and conveniently …

Fixing the flaw is more complicated than it might seem. Android is an open source operating system developed by Google. Android Backup Service is a proprietary service offered by Google, which runs on Android. Anyone can write new code for Android, but only Google can change the Android Backup Service.

To conclude on a Defensive Computing note, those that need Wi-Fi at home should consider using a router offering a guest network.

Make sure that Android devices accessing the private network are not backing up settings to Google. This is not realistic for the guest network, but you can enable the guest network only when needed and then shut it down afterwards. Also, you can periodically change the password of the guest network without impacting your personal wireless devices.